Why not to use Magic Quotes

Portability
Assuming it to be on, or off, affects portability. Use
get_magic_quotes_gpc() to check for this, and code
accordingly.

Performance
Because not every piece of escaped data is inserted into a
database, there is a performance loss for escaping all this data.
Simply calling on the escaping functions (like
addslashes()) at runtime is more efficient.
Although php.ini-development enables these directives
by default, php.ini-production disables it.
This recommendation is mainly due to performance reasons.

Inconvenience
Because not all data needs escaping, it's often annoying to see escaped
data where it shouldn't be. For example, emailing from a form, and
seeing a bunch of \' within the email. To fix, this may require
excessive use of stripslashes().

User Contributed Notes 5 notes

Additionally, addslashes() is not a cure-all against SQL injection attacks. You should use your database's dedicated escape function (such as mysql_escape_string) or better yet, use parameterised queries through mysqli->prepare().